Index: contrib/file/file.h
===================================================================
RCS file: /home/ncvs/src/contrib/file/file.h,v
retrieving revision 1.1.1.7
diff -u -I__FBSDID -I$FreeBSD -r1.1.1.7 file.h
--- contrib/file/file.h	9 Aug 2004 08:45:39 -0000	1.1.1.7
+++ contrib/file/file.h	17 May 2007 17:05:04 -0000
@@ -225,7 +225,7 @@
 	/* Accumulation buffer */
 	char *buf;
 	char *ptr;
-	size_t len;
+	size_t left;
 	size_t size;
 	/* Printable buffer */
 	char *pbuf;
Index: contrib/file/funcs.c
===================================================================
RCS file: /home/ncvs/src/contrib/file/funcs.c,v
retrieving revision 1.1.1.1
diff -u -I__FBSDID -I$FreeBSD -r1.1.1.1 funcs.c
--- contrib/file/funcs.c	9 Aug 2004 08:45:39 -0000	1.1.1.1
+++ contrib/file/funcs.c	17 May 2007 17:05:04 -0000
@@ -28,6 +28,7 @@
  */
 #include "file.h"
 #include "magic.h"
+#include <limits.h>
 #include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
@@ -43,27 +44,31 @@
 file_printf(struct magic_set *ms, const char *fmt, ...)
 {
 	va_list ap;
-	size_t len;
+	size_t len, size;
 	char *buf;
 
 	va_start(ap, fmt);
 
-	if ((len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap)) >= ms->o.len) {
+	if ((len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap)) >= ms->o.left) {
+		long diff;  /* XXX: really ptrdiff_t */
+
 		va_end(ap);
-		if ((buf = realloc(ms->o.buf, len + 1024)) == NULL) {
+		size = (ms->o.size - ms->o.left) + len + 1024;
+		if ((buf = realloc(ms->o.buf, size)) == NULL) {
 			file_oomem(ms);
 			return -1;
 		}
-		ms->o.ptr = buf + (ms->o.ptr - ms->o.buf);
+		diff = ms->o.ptr - ms->o.buf;
+		ms->o.ptr = buf + diff;
 		ms->o.buf = buf;
-		ms->o.len = ms->o.size - (ms->o.ptr - ms->o.buf);
-		ms->o.size = len + 1024;
+		ms->o.left = size - diff;
+		ms->o.size = size;
 
 		va_start(ap, fmt);
-		len = vsnprintf(ms->o.ptr, ms->o.len, fmt, ap);
+		len = vsnprintf(ms->o.ptr, ms->o.left, fmt, ap);
 	}
 	ms->o.ptr += len;
-	ms->o.len -= len;
+	ms->o.left -= len;
 	va_end(ap);
 	return 0;
 }
@@ -152,8 +157,8 @@
 protected const char *
 file_getbuffer(struct magic_set *ms)
 {
-	char *nbuf, *op, *np;
-	size_t nsize;
+	char *pbuf, *op, *np;
+	size_t psize, len;
 
 	if (ms->haderr)
 		return NULL;
@@ -161,14 +166,20 @@
 	if (ms->flags & MAGIC_RAW)
 		return ms->o.buf;
 
-	nsize = ms->o.len * 4 + 1;
-	if (ms->o.psize < nsize) {
-		if ((nbuf = realloc(ms->o.pbuf, nsize)) == NULL) {
+	len = ms->o.size - ms->o.left;
+	if (len > (SIZE_T_MAX - 1) / 4) {
+		file_oomem(ms);
+		return NULL;
+	}
+	/* * 4 is for octal representation, + 1 is for NUL */
+	psize = len * 4 + 1;
+	if (ms->o.psize < psize) {
+		if ((pbuf = realloc(ms->o.pbuf, psize)) == NULL) {
 			file_oomem(ms);
 			return NULL;
 		}
-		ms->o.psize = nsize;
-		ms->o.pbuf = nbuf;
+		ms->o.psize = psize;
+		ms->o.pbuf = pbuf;
 	}
 
 	for (np = ms->o.pbuf, op = ms->o.buf; *op; op++) {
Index: contrib/file/magic.c
===================================================================
RCS file: /home/ncvs/src/contrib/file/magic.c,v
retrieving revision 1.1.1.1
diff -u -I__FBSDID -I$FreeBSD -r1.1.1.1 magic.c
--- contrib/file/magic.c	9 Aug 2004 08:45:39 -0000	1.1.1.1
+++ contrib/file/magic.c	17 May 2007 17:05:04 -0000
@@ -92,8 +92,7 @@
 		return NULL;
 	}
 
-	ms->o.ptr = ms->o.buf = malloc(ms->o.size = 1024);
-	ms->o.len = 0;
+	ms->o.ptr = ms->o.buf = malloc(ms->o.left = ms->o.size = 1024);
 	if (ms->o.buf == NULL) {
 		free(ms);
 		return NULL;
